| CVE ID | CVE-2025-12462 |
| Publication date | 02 March 2026 |
| Vendor | Studio Fabryka |
| Product | DobryCMS |
| Vulnerable versions | Up to 8.0 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-14532 |
| Publication date | 02 March 2026 |
| Vendor | Studio Fabryka |
| Product | DobryCMS |
| Vulnerable versions | From 1.0 through 1.* From 2.0 through 2.* 5.0 |
| Vulnerability type (CWE) | Unrestricted Upload of File with Dangerous Type (CWE-434) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in DobryCMS software and participated in coordination of their disclosure.
The vulnerability CVE-2025-12462: A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path resulting in Blind SQL Injection.
This issue was fixed in versions above 8.0.
The vulnerability CVE-2025-14532: Upload file functionality in DobryCMS allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution.
This issue was fixed in versions above 5.0.
Credits
We thank Jarosław Wieczorek, Paweł Berus, Kacper Gendosz and Karolina Buchnat for the responsible report of Blind SQL Injection vulnerability. We also thank Dawid Radziński from RED SECURITY for the responsible report of Unrestricted File Upload vulnerability
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.